diff options
| author |   Naga Bhavani Akella <quic_nakella@quicinc.com> | 2024-06-28 12:13:12 +0530 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2024-09-21 15:28:29 -0700 |
| commit | a2487221832af4dd3b4e8bef8ad70d3e97975015 (patch) | |
| tree | 64ff08e9e1a9918da0162d2864e2ecf35915d259 /policy | |
| parent | Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets. (diff) | |
| download | hardened-refpolicy-a2487221832af4dd3b4e8bef8ad70d3e97975015.tar.gz hardened-refpolicy-a2487221832af4dd3b4e8bef8ad70d3e97975015.tar.bz2 hardened-refpolicy-a2487221832af4dd3b4e8bef8ad70d3e97975015.zip | |
Setting bluetooth helper domain for bluetoothctl
Required for fixing the below avc denials -
1. audit: type=1400 audit(1651238006.276:496):
avc: denied { read write } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
2. audit: type=1400 audit(1651238006.276:497):
avc: denied { getattr } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
3. audit: type=1400 audit(1651238006.272:495):
avc: denied { read write } for pid=689 comm="dbus-daemon"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
4. audit[1894]: AVC avc: denied { read write } for pid=1894
comm="bluetoothctl" path="/dev/pts/0" dev="devpts" ino=3
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:object_r:initrc_devpts_t:s0
tclass=chr_file permissive=0
5. audit[2022]: AVC avc: denied { use } for pid=2022
comm="bluetoothctl" path="socket:[25769]" dev="sockfs" ino=25769
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
6. audit[2006]: AVC avc: denied { read write } for pid=2006
comm="bluetoothctl" path="socket:[21106]" dev="sockfs" ino=21106
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0
Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy')
| -rw-r--r-- | policy/modules/services/bluetooth.fc | 1 | ||||
| -rw-r--r-- | policy/modules/services/bluetooth.te | 5 |
2 files changed, 6 insertions, 0 deletions
diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc index e167e93f..6067df4b 100644 --- a/policy/modules/services/bluetooth.fc +++ b/policy/modules/services/bluetooth.fc @@ -7,6 +7,7 @@ /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) /usr/bin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/bluetoothctl -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/bin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/bin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index b9e4ed99..10d099d3 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -19,6 +19,7 @@ files_type(bluetooth_conf_rw_t) type bluetooth_helper_t; type bluetooth_helper_exec_t; +init_system_domain(bluetooth_helper_t, bluetooth_helper_exec_t) userdom_user_application_domain(bluetooth_helper_t, bluetooth_helper_exec_t) role bluetooth_helper_roles types bluetooth_helper_t; @@ -181,6 +182,8 @@ allow bluetooth_helper_t self:shm create_shm_perms; allow bluetooth_helper_t self:unix_stream_socket { accept connectto listen }; allow bluetooth_helper_t bluetooth_t:socket { read write }; +allow bluetooth_helper_t bluetooth_t:fd use; +allow bluetooth_helper_t bluetooth_t:unix_stream_socket rw_socket_perms; manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) @@ -209,6 +212,8 @@ term_dontaudit_use_all_ttys(bluetooth_helper_t) auth_use_nsswitch(bluetooth_helper_t) +init_use_script_ptys(bluetooth_helper_t) + locallogin_dontaudit_use_fds(bluetooth_helper_t) logging_send_syslog_msg(bluetooth_helper_t) |